Top Threatpost Stories of 2016

2016 was a year to forget on many fronts, and security was certainly no exception. The most well-read stories on Threatpost reflect the ups and downs of the year, from critical vulnerabilities, to important policy debates, and some breakthroughs on the research front.

Linux vulnerabilities, mobile threats and academic security research dominated the list of the most popular Threatpost headlines for 2016. Here is a look back at topics ranging from the Feds unlocking iPhones, 400Gbps DDoS Attacks, to a flaw in the OAuth 2.0 protocol that academic researchers said could leave one billion mobile apps at risk.

10. Office 365 Vulnerability Exposed Any Federated Account

In April, Microsoft was in the hot seat for a vulnerability in Microsoft Office 365 tied to the way it handles federated identities via SAML. According to security researchers the flaw put an attacker in position to have access to any account and data, including email messages and files stored in the cloud-based service. Seven hours after Microsoft was notified of the flaw by researchers Yiannis Kakavas and Klemen Bratec it pushed through a mitigation to the service.

Researchers at Bastille Networks in February said that non-Bluetooth devices from seven manufacturers including Logitech, Dell and Lenovo are vulnerable to so-called Mousejack attacks that would allow a hacker within 100 meters to abuse this attack vector and install malware or use that machine as pivot point onto the network. At the time, Logitech was the only one that said that it had developed a firmware update that solved the problem.

8. Malware Evades Detection with Novel Technique

SentinelOne announced in September it had found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher’s test environment. The malware evades detection simply by counting the number of documents – or the lack thereof – that reside on a PC and not executing if a certain number are not present. The idea is a lack of documents in a virtual machine and sandboxed test environment make it easy, in this case, for malware authors to fly under the radar.

7. LizardStresser IoT Botnet Part of 400Gbps DDoS Attacks

Months before Mirai became a notorious IoT botnet, LizardStresser was paving the way for bad things to come. LizardStresser was leveraging hundreds of internet-based webcams in attacks against Brazilian-based banks, government agencies as well as a handful of U.S.-based gaming companies.

6. Hack Crashes Linux Distros with 48 Characters of Code

In October, Linux admin and SSLMate founder Andrew Ayer figure out how, with just 48 characters of code, to crash major Linux distributions by locally exploiting a flaw in systemd. He said the flaw was introduced about two years ago in systemd 209 and allowed any local user to perform a denial-of-service attack against a critical system component. The command in question, when run as any user, is: NOTIFY_SOCKET=/run/systemd/notify systemd-notify “”

5. FBI Finds Hack to Open San Bernardino Terrorist’s iPhone

In late March, the FBI surprised many when it said it filed a motion to vacate a scheduled court hearing in its showdown with Apple over its request to unlock San Bernardino terrorist Syed Farook’s iPhone. The motion indicated to many at the time, and correctly, that the FBI had found a way onto the phone without Apple’s help.

Linux came into focus in February when Glibc, the GNU C library at the core of last year’s GHOST vulnerability, was found vulnerable to another critical flaw affecting nearly all Linux machines. The flaw, found by Google and Red Hat and since patched, was a stack-based buffer overflow in the glibc DNS client-side resolver that put Linux machines at risk for remote code execution.

3. Serious Linux Kernel Vulnerability Identified

A critical kernel flaw patched in January would be the most popular of three Linux stories dominating Threatpost headlines in 2016. This Linux flaw, present in the code since 2012, was considered pretty bad because a user with legitimate or lower privileges could gain root access and compromise the entire machine. The flaw also extends to two-thirds of Android devices, according to Perception Point, the company that found the vulnerability.

2. Single Sign-on System OAuth 2.0 Protocol Vulnerable to Hijacking

In November, three Chinese University of Hong Kong researchers found that third-party applications that allow single sign-on via Facebook and Google and support the OAuth 2.0 protocol, are exposed to potential account hijacking. The researchers found that 41.2 percent of the apps they tested were vulnerable to their proof-of-concept attack, including popular dating, travel, shopping, hotel booking, finance, chat, music and news apps. Researchers say more than one billion apps are in jeopardy to attackers who could take advantage of poor OAuth 2.0 implementations.

1. Academics Make Theoretical Breakthrough in Random Number Generation

An academic paper on a theoretical breakthrough in random number generation was released in March. The research has potential longstanding implications for cryptography and computer security. The heart of the paper addresses the fact sometimes random numbers aren’t so random. Low quality random numbers are much easier to predict, and if they’re used, they lower the integrity of the security and cryptography protecting data. “We show that if you have two low-quality random sources—lower quality sources are much easier to come by—two sources that are independent and have no correlations between them, you can combine them in a way to produce a high-quality random number,” explained David Zuckerman, one of the two researchers that authored the academic paper.

About Chris Brook

"Distrust and caution are the parents of security" - Benjamin Franklin